Recycle Bin
The Windows Recycle Bin is a far more forensically rich artifact than its desktop icon suggests. When a user deletes a file through the Windows shell, Windows does not immediately erase it. It moves the file into the hidden $Recycle.Bin directory and creates a companion metadata file alongside it. For investigators, this metadata file is the crucial evidence — it records the file's original path and the precise moment it was deleted.
Imagine throwing a piece of paper in the office bin. The paper is still there, someone just moved it. The Recycle Bin works the same way — deleted files are moved to a hidden folder, not destroyed. More importantly, Windows sticks a sticky note on top of each piece of paper in that bin recording where it came from and when you threw it away. Even after you "empty" the bin and the paper is gone, investigators can sometimes find both.
General
The Recycle Bin is stored in a hidden system directory at $Recycle.Bin\{User-SID}\ on each drive partition. When a file is deleted via Explorer, Windows performs two actions: it renames the actual file to a randomly generated name prefixed with $R and creates a corresponding metadata file prefixed with $I with the same random suffix. The $I metadata files are small binary structures containing a version header, the deleted file's original size, the deletion timestamp and the original file path encoded in Unicode. This design has been used since Windows Vista and replaced the older INFO2 file used in Windows XP.
Traces
From each $I metadata file, we extract the following forensically critical data points:
- Original File Path: The full path where the file resided before deletion.
- Deletion Timestamp: The exact FILETIME-encoded UTC timestamp of when the file was sent to the bin.
- Original File Size: The file size in bytes at the time it was deleted.
- User SID: The SID of the account that deleted the file, derived from the parent folder name.
- and more.
Forensic Value
We parse the Recycle Bin to prove deliberate data destruction and recover deleted content:
- Proving Intentional Deletion: Demonstrating that a suspect knowingly moved files to the trash. Cross-reference these actions with MFT records to identify files that were bypassed or wiped.
- Recovering Deleted Evidence: Retrieving the actual file content from the
$Rfile if it has not yet been overwritten. - Tracking Anti-Forensics: Identifying a pattern where a suspect deleted forensic tools immediately after use.
- Path Reconstruction: Recovering the original directory structure even when the target drive has been partially re-formatted.
For more Info check out these Articles: MFT